GDPR Territorial Applicability

Global businesses collect personal information about consumers, and often, that data is abused or sold without the consumer's consent. In addition, data breaches are a significant concern for global organizations that face daily changes while keeping up with today's security threats. International companies must adhere to specific laws to protect consumers' privacy. Read on to learn more about the General Data Protection Regulation (GDPR), which has a global impact beyond the European Union.

What is General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a regulation that sets the framework for the collection, processing, and storing of personal information from individuals in the European Union (EU) and the European Economic Area (EEA). Approved in 2016, the GDPR took effect in 2018.

EU flag stock image

The ruling gives consumers control over their data by holding companies responsible for handling and processing information, regardless of where websites are based. All sites that attract European visitors must comply with GDPR, even if they do not specifically market goods or services to EU residents.

To comply with GDPR, companies need to ensure that personal data is gathered legally and under specific conditions. Organizations that collect and manage data are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners, or face financial penalties. Data breaches need to be handled appropriately and reported to consumers as soon as possible.

The GDPR protects names and government ID numbers. The GDPR covers information that can connect to a person's "physical, physiological, genetic, mental, economic, cultural or social identity," such as their IP address and browser cookie data.

In a nutshell, if your company processes the personal data of EU citizens or offers goods or services to EU residents, then the GDPR applies to your company even if you're not based in the EU. This means that the majority of worldwide businesses need to follow a GDPR strategy.

Key Takeaways

  • The GDPR gives consumers greater control over how companies manage and disseminate their data.
  • Companies must explain to consumers what they do with consumer data every time it is breached.
  • GDPR rules apply to any website that processes the personal data of EU citizens or offers goods or services to EU residents.

GDPR Applies to Global Companies

Stock photo of global connections

The GDPR aims to improve individuals' control and rights over their personal data and simplify the international business regulatory environment. GDPR overrules the Data Protection Directive 95/46/EC and contains provisions and requirements related to processing an individual's personal data, those who reside in the European Economic Area. The regulation applies to global companies regardless of its location and the data subjects' citizenship or residence that processes an individual's personal information inside the EEA.

The GDPR is a regulation that is directly binding and applicable. It allows certain aspects of the rule to be changed by individual member states.

The GDPR is a regulation with a global reach, even though it protects EU citizens. The law applies to citizens in an EU state and those living overseas. If your company sells to EU citizens now or in the future, your company must be GDPR-compliant.

Stock photo of globe with orbits

The following examples show how GDPR has a global responsibility to enforce how companies use personal data:

  • A U.S. company that loans cars to EU citizens must comply with GDPR requirements when they gather customer data. The company will be required to get a customer's consent when they acquire and store customer data. They must also confirm that the customer can apply all their subject information rights.
  • A New Zealand company sells makeup online, and its users create online accounts. GDPR data subject rights and consent will affect EU citizens who open an account on the website.
  • An international charity collects data about donors and uses it to send email updates and requests for donations. According to GDPR, the charity is responsible for proving their interests override those of the data subject. The charity should always get explicit opt-in consent.

The California Consumer Privacy Act (CCPA), adopted on June 28, 2018, shares similarities with the GDPR. The regulation became a model for other laws worldwide, including in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina, and Kenya. As of October 6, 2022, the United Kingdom retains the law in identical form, although the country is no longer an EU member state.

GDPR rules apply to 27 members of the EU and the European Economic Area (EEA), despite where websites and residents are located. Websites with European visitors, even if they don't specifically market goods or services to EU residents, must comply with GDPR. The regulation applies to EU citizen data, even if the company and website is housed in the U.S. A U.S. citizen who lives in the EU is protected whenever they land on websites based in the EU.

How the Regulation Applies to Companies in the EU and Outside of the EU

An example of when the GDPR would apply

GDPR would apply if you owned an online education company with an establishment outside the EU. It targets Spanish language universities in the EU. The company offers free advice on several university courses, and students require a username and a password to view the online material. Your company provides the username and password once the students fill out an enrollment form.

An example of when the GDPR would not apply

GDPR will not apply if your company is a service provider based outside the EU, offering services to customers living outside the EU. Its clients can use its services when traveling to other countries, including the EU. If your company does not market its services to individuals in the EU, then the rules of the GDPR do not affect you.

GDPR's Broad Scope: See How the GDPR Applies Outside of the EU

GDPR compliant logo

There are some scenarios where GDPR applies to organizations outside of the EU.

Article 3.1 states that the GDPR applies to organizations based in the EU, even if the data are stored or used outside the EU. Article 3.2 goes even further and applies the law to organizations not in the EU, if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior.

Goods and Services Offerings

A person in London can order an online product from an electronics store in Texas and have it delivered to a family's home based in Dallas. Regulators should determine whether the organization offers goods and services to people in the EU. Regulators look for an activity like, for example, a Canadian company creating ads in the UK or including pricing in euros on its website. In a nutshell, if your company is not housed in the EU, but it attracts EU customers, then you should seek to be GDPR compliant.

Monitoring Behavior

If your organization uses web tools that track cookies or IP addresses of those who visit your website from EU countries, then GDPR applies to you and your company. However, the regulation falls in the gray area. Suppose you run a tennis club in Canada, but sometimes people in France visit your site as the name of the tennis club is similar to one in France. You could be held accountable for tracking the data.

Exceptions to the Rule

This section explains two critical exceptions. First, the GDPR does not apply to personal or household activity. The GDPR affects organizations engaged in professional or commercial activity. If you're gathering email addresses from friends to run a fundraiser, then the GDPR may apply to you. Maybe you have gathered emails to organize a picnic with co-workers, then you do not have to worry about complying with the GDPR.

The second exception is for organizations with less than 250 employees. Small- and medium-sized enterprises are not exempt from the GDPR, but the regulation frees them from record-keeping obligations in some scenarios.

How Does GDPR Affect Individuals?

GDPR lock and EU stars stock photo

GDPR protects an individual's personal data if the data was collected and stored by a business or organization.

The priority of GDPR is to protect the privacy of all European Union (EU) citizens. So, if the concern is the personal data of someone of European Union origin, whether they live in the EU or not, his data and the rights surrounding that data are protected.

Suppose you are under the age of 16 and you reside in the EU. GDPR requires that companies must have your parents' written consent to process your data.

The below examples explain how individuals, companies, and enterprises are affected by the GDPR.

Here are some questions to ask to understand how the ruling affects you:

  • Are you a citizen of a European Union country, but you live in another country? Your location does not affect your citizenship. GDPR was drafted to protect personal data of all EU citizens.
  • Do you live in the EU but you are not an EU citizen? If you are residing in an EU country, your right to protection of your data collected by EU businesses within the EU country is protected.
  • Does the company I work for process the personal data of a European Union citizen, no matter where he resides or where my company is located? If you store, process, or transmit data of EU residents, then your company must be GDPR-compliant, which also includes data collected by an online presence, such as a website.
  • Does my company, or do I, engage in financial activity? GDPR does not apply to those who process the personal data of EU citizens if it is exclusive to household or personal activities. According to Article 4, paragraph 18, you and your company must comply with GDPR.

GDPR Requirements: The Protection of Personal Data

Stock photo of the words personal data

The GDPR requires companies to adopt reasonable data protection measures to protect consumers' data and privacy against data loss or exposure. Article 5 of the GDPR summarizes the most important requirements regarding the management of personal data:

  • Personal data should be processed lawfully, fairly, and in a transparent way
  • Personal data should be collected for specified, explicit, and legitimate purposes
  • Personal data should be adequate, relevant, and limited to what is necessary for which they are collected
  • Personal data stored should be accurate and current
  • Personal data should be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Personal data should be processed to ensure appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures

Screenshot: Checklist for GDPR compliance

The above image is a checklist for GDPR compliance.

Costly Penalties

The fines for violating the GDPR are expensive. The GDPR will submit fines against those violating its privacy and security standards, with penalties in tens of millions of euros.

Companies should be aware of the two tiers of penalties, which max out at €20 million or four percent of global revenue (whichever is higher). Data subjects have the right to seek compensation for damages.

Final Thoughts

GDPR's data privacy principles are crucial to the success of any business operating in the EU and globally. It is recommended that you operate with transparency by providing consumers with the information they need to understand how their data is collected and used. Then, you will have more business success and repeat customers. All in all, you should make a reasonable faith effort to help people understand how their data is used and be honest about who has access to it.